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TITLE OF THE INVENTION 

FUNCTION RESTRICTING PROGRAM, INSTALLER CREATION PROGRAM AND 

PROGRAM STORAGE MEDIUM 

5 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to a function restricting 
program for preventing information from being leaked, etc., an 
10 installer creation program for creating an installer for 
installing the function restricting program into a computer, a 
program storage medium stored with the function restricting 
program, and a program storage medium stored with the 
installer creation program. 

15 

2. Description of the Related Art 

As known well, jobs have been conducted by utilizing 
computers in offices, factories, etc. (which will hereinafter 
be generically referred to as offices, etc.) over the recent 

20 years. Pieces of information used for the . jobs, however, 
contain information that should be prevented from being 
printed and copied to mediums by unauthorized parties (that 
should be prevented from being leaked to the outside). 

A scheme of inhibiting the information from being 

25 printed and copied to the mediums by the unauthorized parties 
can be actualized by making each computer operate as a device 
requesting a user to input a user name and a password when 
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starting the use of the computer (or when printing and copying 
the information to the medium). As a matter of fact, there 
exist offices, etc. where the leakage of the information is 
prevented by adopting the password system. 
5 The actualization of enabling the group of existing 

computers to prevent the information leakage by utilizing the 
password system, must involve a variety of operations (such as 
replacing the preinstalled OS and applications, and changing 
the settings) for the respective computers. Namely, the 

10 information leakage preventing scheme based on the password 
system takes a large cost for carrying out this scheme. 
Further, the information leakage preventing scheme based on 
the password system involves a change in operation procedures 
of the computer (wherein the password, etc. must be inputted 

15 when starting the use thereof and when printing). 

Such being the case, there has been developed a program 
(refer to, e.g., Japanese Patent Application Laid-open 
Publication No. 2002 -1492 97) capable of invalidating each menu 
> item specifying a designated application by previously 

20 designating the application (web Browser, etc.) and menu items 
related to printing and saving) to be invalidated, i.e., by 
performing a so-called message hook. 

The use of this program enables each computer to operate 
as a device operable in the same procedures as conducted so 

25 far but capable of preventing the unauthorized parties from 
printing and copying the information to the mediums. That is, 
it is feasible to actualize an environment capable of 
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preventing the information leakage by using this program 
without causing any problems arising when adopting the 
password system. 

In this program, however, the security setting (such as 
5 designating which menu item is i nval i dated) can not be done 
except on an application-by-application basis. Therefore, on 
the occasion of utilizing this problem, there arises a problem 
in which it is impossible to set printable one piece of 
information of two pieces of information utilizing the same 
10 application for browsing and the other piece of information 
unprintable. 

SUMMARY OF THE INVENTION 
Under such circumstances, it is a first object of the 
15 present invention to provide a function restricting program 
capable of performing more minute security setting. 

It is a second object of the present invention to 
provide an installer creation program capable facilitating an 
operation of installing the function restricting program into 
20 a plurality of computers. 

To accomplish the first object, according to the present 
invention, a function restricting program executed on a 
computer including an input device and a display device, is 
created (written) so that it makes, on the basis of security 
25 policy information containing inhibited process designating 
information defined as information for designating some 
processes of which executions are not permitted with respect 
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to one or more caption character strings, the computer operate 
as a device that does not execute respective processes of 
which executions are not permitted by inhibited process 
desi gnati ng i nf ormati on contai ned i n the secu ri ty pol i cy 
5 information with respect to a caption character string 
coincident with a title character string of the function 
restricting target window in a case where the function 
restricting target window defined as a window of which the 
title character string is coincident with any one of caption 

10 character strings in the security policy information, is 
displayed on the display device. 

The use of this function restricting program enables the 
security setting to be done for every caption character string 
(title character string), whereby the more minute security 

15 setting than by the prior art can be performed such as setting 
printable one piece of information of two pieces of 
information utilizing the same application for browsing and 
the other piece of information unprintable. 

To accomplish the second object, according to the 

20 present invention, there is created an installer creation 
program making a computer including an input device and a 
display device, operate as a device comprising security policy 
information creating means for creating security policy 
information containing inhibited process designating 

25 information defined as information for designating some 
processes of which executions are not permitted with respect 
to one or more caption character strings on the bcisis of 
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information inputted to the input device, and installer 
creating means for. creating an installer defined as a program 
by which, upon an execution of this program, a computer is 
installed with the security policy information created by the 
5 security policy information creating means and with the 
function restricting program of the present invention. 

The use of the present installer creation program 
eliminates a necessity of performing an operation of setting 
the security policy information on the computer installed with 
10 the function restricting program. Hence, the use of the 
installer creation program of the present invention 
facilitates an operation of installing the function 
restricting program into a plurality of computers. 

15 BRIEF DESCRIPTION OF THE DRAWINGS 

These and other objects and advantages of the present 
invention will become clear from the following description 
with reference to the accompanying drawings, wherein: 

FIG. 1 is an explanatory diagram of a system in which a 
20 function restricting program according to one embodiment of 
the present invention is utilized; 

FIG. 2 is an explanatory diagram of a security policy 
file utilized by the function restricting program; 

FIG- 3 is an explanatory diagram of a caption character 
25 string registration dialog box displayed when creating and 
editing the security policy file; 

FIG. 4 is an explanatory diagram of a security policy 



setting dialog box displayed when creating and editing the 
security policy file; and 

FIG- 5 is a flowchart showing operation procedures of 
the function restricting program. 

5 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
A best mode for embodying the present invention will 
hereinafter be described in detail with reference to the 
drawings. 

10 As schematically illustrated in FIG. 1, a function 

restricting program 10 according to one embodiment of the 
present invention is a program created on the assumption that 
this program is executed on respective client terminals 50 in 
a system (which will hereinafter be termed a business-oriented 

15 network system) including a Web server device 60 and a 
plurality of client terminals 50 provided with various 
categories of Web pages from the Web server device 60. 

The Web server device 60 in the business-oriented 
network system utilizing this function restricting program 10, 

20 is normally preinstalled with an installer creation program 20 
defined as a program prepared for easily installing the 
function restricting program 10 (and a security policy file 
15) with respect to the client terminals 50. 

The installer creation program 20 has, though its 

25 detailed explanation is omitted herein, a function (a) of 
creating and editing the security policy file 15 in accordance 
with an instruction given from an operator (who is an 
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administrator of the business-oriented network system), a 
function (b) of creating an installer 22 for installing the 
thus created-and-edi ted security policy file 15 together with 
the function restricting program 10 into a computer (the 
5 client terminal 50), a function (c) of generating a Web page 
24 for the installer, through which the created installer 22 
can be downloaded, and so forth. 

The security policy file 15 connoted herein has contents 
(a file- formatted database) as schematically shown in FIG. 2, 

10 to which the function restriction program 10 refers when in 
its operation. Namely, the security policy file 15 is a file 
that retails a given number of tuples (records corresponding 
to a plurality of applications) each consisting of a caption 
character string and pieces of information (which will 

15 hereinafter be termed "inhibited process designating 
information") designating which process among a variety of 
processes is inhibited from being executed. 

Note that when creating he security policy file 15 by 
utilizing the installer creation program 20, a caption 

20 character string registration dialog box 30 as shown in FIG. 3 
and a security policy setting dialog box 40 as shown in FIG. 4 
are displayed on the display of the Web server device 60. 

Namely, the actual security policy file 15 retains a 
given number of tuples each consisting of the caption 

25 character string and the pieces of inhibited process 
designating information designating which operation by a user 
is invalidated (refer to the caption in the security policy 
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setting dialog box 40 in FIG- 4) with respect to each of Web 
Browsers such as Microsoft Internet Explorer, Netscape 
Navigator, Microsoft Excel and Microsoft word (Microsoft 
Internet Explorer, Microsoft Excel and Microsoft Word are 
5 trademarks of Microsoft Corporation in U.S.A., and Netscape 
Navigator is a trademarks of Netscape Communication 
Corporation in U.S.A. and other countries). 

Further, the actual security policy file 15 is stored 
with the inhibited process designating information containing 

10 various pieces of information such as information indicating 
whether a screen copy is invalidated or not ("Print Screen" 
key is invalidated or not), information indicating whether 
each menu item such as "saving with a name" is invalidated or 
not, information indicating whether a right click is inhibited 

15 or not, and so forth. 

On the other hand, the present function restricting 
program 10 has, as the installer creation program 20 hcis, the 
function of creating and editing the security policy file 15. 
The function restricting program 10 involves preparing a CD- 

20 ROM for installing the function restricting program 10 into 
the client device (terminal) 50. In the case of installing the 
function restricting program 10 into the client device 50 from 
the CD-ROM, an operation of creating the security policy file 
15 by utilizing the aforementioned functions included in the 

25 function restricting program 10, is performed by the 
admi nistrator. 

The function restricting program 10, when booted (when 
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an OS on the client terminal 50 is booted), starts processing 
in procedures shown in FIG. 5. Incidentally, in the following 
discussion, the application in which to set the information 
consisting of the caption character string and the inhibited 
5 process designating information in the security policy file 15, 
will be termed a function restricting target (object) 
appl i cati on . 

Namely, the function restricting program 10 executes, to 
begin with, a process of creating, on a RAM, a security policy 

10 table structured of pieces of information within the security 
policy file 15 (step SlOl) . In short, the function restricting 
program 10 executes the process for setting the information 
stored in the security policy file 15 in a usable state 
without accessing a HDD. 

15 Thereafter, the function restriction program 10 executes 

in step S302 a process (for performing a so-called global 
hook) for the OS (Windows XP, etc.: Windows XP is a trademark 
of Microsoft corporation, in U.S.A.) to transfer a message to 
the self -prog ram before delivering the message to the 

20 appl i cati on . 

Subsequently, the function restricting program 10 starts 
a process (step S103) of monitoring a transfer, from the OS, 
of a message (which will hereinafter be called a new window 
display message) through which a window (which will 

25 hereinafter be called a function restricting target window) 
containing a tile character string construed coincident with 
any one of the caption character strings in the security 
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policy table, is to be displayed on the display by the 
function restricting target application, and a message (which 
will hereinafter be called a window closed message) through 
which the function restricting target window is closed. Note 
5 that if a screen copy inhibition flag (of which details will 
be explained later on; an initial value is "OFF") is set ON, 
in step S103, the function restricting program 10 monitors a 
transfer, from the OS, of a message (which will be called a 
screen copy instruction message) through which image data on 

10 the screen displayed on the display are copied to a clipboard. 

Then, if the new window display message is transferred 
(step S103; new window display), the function restricting 
program 10 executes a process (step S105) for invalidating 
each menu item and a keyboard operation for instructing the 

15 function restricting target application for displaying the 
function restricting target window to execute each process 
that should be inhibited by the inhibited process designating 
information associated with (linked to) the function 
restricting target window. Further, the function restricting 

20 program 10, if the inhibited process designating information 
associated with the function restricting target window is an 
inhibition of the screen copy, executes also a process of 
setting the screen copy inhibition flag in an "ON" status in 
step S105. It is to be noted that the inhibited process 

25 designating information associated with the function 
restricting target window, is the inhibited process 
designating information stored in the security policy table 
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(the security policy file 15) in such a way that the function 
restricting target application for displaying the function 
restricting target window is associated with the caption 
character string construed coincident with the title character 
5 string of the function restricting target window. 

The function restricting program, which has finished the 
process in step S105, restarts the process in step S103. 

The function restricting program 10, when the window 
closed message is transferred (step S103; window closed, 

10 executes a process (step S106) for setting the screen copy 
inhibition flag in an "OFF" status, unless the function 
restricting target window left after the function restricting 
target window has been closed by the window closed message 
contains any elements indicating the inhibition of the screen 

15 copy- Thereafter, the function restricting program 100 again 
starts the process in step S102. The function restricting 
program 10, when the screen copy instruction message is 
transferred (step S103; instruction of screen copy), executes 
a process (step S107) for clearing the information copied to 

20 the clipboard by the screen copy instruction message, and 
thereafter restarts the process in step S103. 

As discussed above, the function restricting program 10 
in the present embodiment is capable of designating the 
security level (a category of the process for inhibiting the 

25 execution) with the title character string. Therefore, the 
use of this function restricting program 10 enables the 
security setting that is as minute as setting printable one 
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piece of information of two pieces of information utilizing 
the same application for browsing and the other piece of 
information unprintable. 

The function restricting program 10 does not judge, 
5 based on the process inhibition designating information set 
for the active function restricting target window, whether the 
screen copy is inhibited or not (the screen copy is inhibited 
in a case where there exists even one function restricting 
target window with the screen copy inhibited). Accordingly, 

10 the client terminal 50 preinstalled with the function 
restricting program 10 functions as a device (unable to 
extract the information about the function restricting target 
window with the screen copy inhibited) unable to perform the 
screen copy even by simultaneously displaying, on the display, 

15 the function restricting target window with the screen copy 
inhibited and the function restricting target window with the 
screen copy uninhibited. 
<Modified Mode> 

The function restricting program 10 described above can 
20 be modified in a variety of forms. For instance, the function 
restricting program 10 may be modified so that only the window 
of which the title character string is coincident with the 
caption character string in the security policy file 15 (the 
security policy table), is dealt with as the function 
25 restricting target window. The function restricting program 
10 may also be modified so that the window of which the title 
character string is similar to the caption character string 
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(which is a window having the same title character string as 
the caption character string if, for example, half-size 
characters are changed i nto f ul 1 -si ze characters) , is al so 
dealt with as the function restricting target window. The 
5 function restricting program 10 may also be modified so as to 
invalidate the screen copy only when the function restricting 
target window with the screen copy inhibited is actually 
displayed (so as no to invalidate the screen copy in a case 
where the function restricting target window with the screen 

10 copy inhibited is minimized and a case where all of this 
window is hidden by other window) - 

Moreover, it is a matter of course that the categories 
of the applications as the function restricting targets may be 
set different from those describeid above, and that the dialog 

15 boxes displayed when creating and modifying the security 
policy file 15 may be set different from those described above.. 



